CVE-2026-58126: PACSgear PACS Scan 5.2.1 Unauthenticated RCE via .NET Remoting TCP Service
PACSgear PACS Scan 5.2.1 contains an unauthenticated remote code execution vulnerability that allows remote attackers to read and write arbitrary files by exploiting an exposed .NET Remoting TCP service on port 22222 via PGImageExchQueue.exe without any authentication requirement. Attackers can chain the arbitrary file write primitive with DLL hijacking in PGImageExchangeQueueSvc.exe, which loads missing DLLs such as CRYPTSP.DLL from the application directory, to achieve remote code execution as NT Authority\SYSTEM upon service restart.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated remote code execution vulnerability affects PACSgear PACS Scan 5.2.1 via an exposed .NET Remoting TCP service on port 22222. The service requires no authentication and is reachable over the network, allowing any attacker who can connect to read and write arbitrary files, then escalate to code execution by planting a malicious DLL that the service loads on restart. Successful exploitation gives the attacker full SYSTEM-level control of the host. No vendor patch has been published; HarborGuard tracks the advisory for patch availability.
HarborGuard Coverage
Detection of CVE-2026-58126 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle PACSgear PACS Scan 5.2.1. Any image found to carry the affected binary is flagged immediately.
AvailableHarborGuard scores this CVE at CVSS v4.0 9.3 (Critical) and surfaces it with that severity weighting in each customer's triage queue. Per-environment compliance policy rules can adjust priority and route the finding to the appropriate team or inbox within the customer org.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the interim, compensating controls such as network-policy isolation of port 22222 and egress filtering on affected workloads are available to flag and enforce through HarborGuard policy rules.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach port 22222 on the target host over the network; the .NET Remoting TCP service is exposed with no network-level access restriction by default.
- AuthenticationNot required
No credentials or session token of any kind are required; the service accepts unauthenticated connections.
- Victim interactionNot required
No user action is needed; the attacker contacts the service directly without any social-engineering step.
- Attack complexityDetail
Exploitation is reliable and condition-free at the file read/write stage; the DLL hijacking step requires a service restart, which may occur naturally or be triggered by an attacker with write access to configuration files.
Blast Radius
- Reads arbitrary files on the host filesystem, including credentials, configuration data, and medical imaging records stored by the PACS application.
- Writes arbitrary files to any path accessible by the service process, enabling replacement or creation of files across the system.
- Plants a malicious DLL in the application directory that the service loads on restart, achieving code execution as NT Authority\SYSTEM.
- Full SYSTEM-level control of the host allows the attacker to pivot to adjacent systems, disable security tooling, or exfiltrate the entire data store.
How HarborGuard Handles This
Available on HarborGuard: images containing PACSgear PACS Scan 5.2.1 are matched against CVE-2026-58126 on every scan, with findings surfaced at Critical severity. Because no vendor patch exists, HarborGuard monitors the advisory on each ingest cycle and will trigger a patched-image rebuild automatically the moment an upstream fix is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads without manual intervention. While no fix is available, recommended compensating controls include applying a network policy that blocks inbound access to port 22222 from untrusted network segments, enforcing egress filtering on hosts running the affected service, and using HarborGuard policy rules to gate deployment of images carrying this CVE to production environments until a patch is confirmed.
- Hyland / PACSgear PACS Scan5.2.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N